Privacy changes in Android 10

Android 10 (API level 29) introduces a number of features and behavior changes
to better protect users' privacy. These changes extend the transparency and
control that users have over their data and the capabilities they give to apps.
These features might mean that specific behaviors or data that your app is
depending on may behave differently compared to older versions of the platform.
The impacts on your app should be minimal if your app is following current best
practices for handling user data.

Top changes

This section includes the key changes in Android 10 related to
privacy.

External storage access scoped to app files and media

By default, apps targeting Android 10 and higher are given
scoped
access into external storage, or
scoped storage. Such apps can see the following types of files within an
external storage device without needing to request any storage-related user
permissions:

Access to device location in the background requires permission

To support the additional control that users have over an app's access to
location information, Android 10 introduces the
ACCESS_BACKGROUND_LOCATION
permission.

Unlike the
ACCESS_FINE_LOCATION
and
ACCESS_COARSE_LOCATION
permissions, the ACCESS_BACKGROUND_LOCATION permission only affects an app's
access to location when it runs in the background. An app is considered to be
accessing location in the background unless one of the following conditions is
satisfied:

To declare the foreground service type for a service in your app, set your
app's targetSdkVersion or compileSdkVersion to 29 or higher. Learn
more about how foreground services can continue user-initiated
actions
that require access to location.

Access granted automatically when targeting Android 9 or lower

If your app runs on Android 10 or higher but targets Android 9
(API level 28) or lower, the platform applies the following behavior:

If your app requests either ACCESS_FINE_LOCATION or
ACCESS_COARSE_LOCATION, the system automatically adds
ACCESS_BACKGROUND_LOCATION to the request.

Access when device is upgraded to Android 10

If a user grants your app access to device location – either
ACCESS_COARSE_LOCATION
or
ACCESS_FINE_LOCATION
– then upgrades their device from Android 9 to Android 10,
the system automatically updates the set of location-based permissions granted
to your app. The set of permissions that your app receives after the upgrade
depends on its target SDK version and its defined permissions, as shown in
the following table:

Table 1. Changes in location permission state
after device upgrade to Android 10

Target platform version

Coarse or finepermission granted?

Background permissiondefined in manifest?

Updated default permission state

Android 10

Yes

Yes

Foreground and background access

Android 10

Yes

No

Foreground access only

Android 10

No

(Ignored by system)

No access

Android 9 or lower

Yes

Automatically added by the system at device upgrade time

Foreground and background access

Android 9 or lower

No

(Ignored by system)

No access

Caution: Even after the system automatically updates your app's access to device
location, the user has the option to change this level of access. The user might
reduce your app's access to foreground only or revoke access entirely. Before
attempting to access the device's location, particularly within a foreground
service, your app should check whether the user still allows your app to receive
this location information.

Restrictions on starting activities from the background

Starting in Android 10, the system places restrictions on
starting activities from the
background. This behavior
change helps minimize interruptions for the user and keeps the user more in
control of what's shown on their screen. As long as your app starts activities
as a direct result of user interaction, your app most likely isn't affected by
these restrictions.

Identifiers and data

This section lists changes specific to working with device identifiers and data.

Removal of contacts affinity

Starting in Android 10, the platform doesn't keep track of
contacts affinity information. As a result, if your app conducts a search on the
user's contacts, the results aren't ordered by frequency of interaction.

Restriction on access to /proc/net filesystem

On devices that run Android 10 or higher, apps cannot access
/proc/net, which includes information about a device's network state. Apps
that need access to this information, such as VPNs, should use the
NetworkStatsManager or
ConnectivityManager class.

Restriction on non-resettable device identifiers

Starting in Android 10, apps must have the
READ_PRIVILEGED_PHONE_STATE privileged permission in order to access the
device's non-resettable identifiers, which include both IMEI and serial number.

Camera and connectivity

Restriction on access to camera details and metadata

Android 10 changes the breadth of information that the
getCameraCharacteristics()
method returns by default. In particular, your app must have the
CAMERA permission in order to
access potentially device-specific metadata that is included in this method's
return value.

Restriction on enabling and disabling Wi-Fi

If you need to prompt users to enable and disable Wi-Fi, use a settings
panel.

Restrictions on direct access to configured Wi-Fi networks

To protect user privacy, manual configuration of the list of Wi-Fi networks is
restricted to system apps and
device policy controllers (DPCs). A given DPC can be
either the device owner or the profile owner.

If your app targets Android 10 or higher, and it isn't a system
app or a DPC, then the following methods don't return useful data:

If your app targets Android 10 or higher, it must have the
ACCESS_FINE_LOCATION
permission in order to use several methods within the Wi-Fi, Wi-Fi Aware,
or Bluetooth APIs. The following sections list the affected classes and methods.

Bluetooth

Permissions

Note: Each change described in this section affects all apps on devices that
run Android 10 or higher, even apps that target Android 9 (API
level 28) or lower.

Restricted access to screen contents

To protect users' screen contents, Android 10 prevents silent
access to the device's screen contents by changing the scope of the
READ_FRAME_BUFFER, CAPTURE_VIDEO_OUTPUT, and CAPTURE_SECURE_VIDEO_OUTPUT
permissions. As of Android 10, these permissions are
signature-access
only.

Apps that need to access the device's screen contents should use the
MediaProjection
API, which displays a prompt asking the user to provide consent.

User-facing permission check on legacy apps

If your app targets Android 5.1 (API level 22) or lower, users see a permissions
screen when using your app on a device that runs Android 10 or
higher for the first time, as shown in Figure 1. This screen gives users the
opportunity to revoke access to permissions that the system previously granted
to your app at install time.

Caution: If you want to publish your app on Google Play, you must target Android
9 (API level 28) or higher. To learn more, see the guide on how to meet
Google Play's target API level
requirement.Figure 1. User-facing dialog that allows review of legacy
permissions

Physical activity recognition

Android 10 introduces the
ACTIVITY_RECOGNITION
runtime permission for apps that need to detect the user's step count or
classify the user's physical activity, such as walking, biking, or moving in a
vehicle. This is designed to give users visibility of how device sensor data is
used in Settings.

If your app targets Android 9 (API level 28) or lower and specifies the
com.google.android.gms.permission.ACTIVITY_RECOGNITION permission in its
manifest file, the system auto-grants this permission to your app if needed.
When you update your app to target Android 10, the platform
retains the permission. However, the user can revoke this permission at any time
in system settings.